Crime.net is a term I use to describe the impact of network technologies such as the Internet and mobile phones on crime and criminal enterprises. Applications of Crime.net include the following:

Commission of crimes – this is the one part of Crime.net that’s gotten mainstream press coverage so far. Phishing, hacking into computers for credit card numbers, and so on. Data thefts at major retailers such as BJ’s Wholesale Club and Lowe’s indicate that there is probably more of this going on than has been reported in the media. And smart criminals may target smaller retailers that can’t afford the security resources of large corporations. Although not strictly a network based attack, computers have also been used to steal cars and other items as reported here and here.

Scouting targets – identifying people or places that are likely targets for crimes, and developing intelligence about targets. One blogger recently revealed how to use Google Calendar to scout potential victims for burglarly or worse. Sound far fetched? Criminals in South Africa have been observed using cell phones to photograph potential victims. Google maps provides detailed maps for locating possible escape routes, planning look out locations and so on. Satellite imagery can be used to examine roof tops for covert access points to buildings.

Sharing criminal expertise – Criminals have used websites, blogs, etc. to share methods of operation, criminal techniques and strategies, an even information about specific targets. The notorious Shadowcrew site included instructions on how to commit identity theft and fraud. Some worry that these marketplaces will become a “bazaar of violence” facilitating murder and terrorism.

Online markets for stolen goods – The Shadowcrew created an online market for stolen credit card numbers and eBay is used to “fence” stolen goods. More of these sorts of sites likely exist today.

Avoiding capture – criminals can use surveillance technologies, cell phones, etc. to warn each other of the approach of law enforcement personnel. Usually we think of surveillance technologies being used to fight crime, but criminals can also use them to avoid capture. Picture phones and wireless IP based cameras can be used to warn of the approach of law enforcement. Drug dealers use cellphones and multiple operatives to avoid capture with large quantities of cash and drugs for example. Analysis of publicly reported crime statistics can be used to predict areas with less law enforcement coverage. Imagine a future web site where criminals could determine the locations of police cars in real-time accessible over a cellphone or by using a stolen or otherwise obtained police data terminal.

I have written elsewhere about the likelihood that Second Life would be targeted by criminals for identity theft purposes and sadly such an event has come to pass. The volume of money flowing through Second Life’s economy ($64 million annually according to Popular Science) makes it an obvious target for attack. And apparently Linden Labs’ security practices have been less than stellar.

Linden Labs posted a security bulletin yesterday on the Second Life site announcing that a “zero-day exploit” had been used to access customer account records including passwords and possibly payment information. While the original security bulletin itself was quite terse and made no mention of compromised payment information, a subsequent e-mail and included FAQ revealed:

We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.

“Zero-day exploit” is a general term for any attack that is launched the same day as a new product or patch is released. For example, Microsoft announced a zero-day exploit attack on Internet Explorer back in 2005. Linden Labs didn’t reveal exactly what software was compromised, stating only that it was “third party” software.

Personally I don’t find this answer very satisfying nor should other SL users. Passing the buck to a “third party” won’t protect user data. It is clear from the brief description of the events which was released that the company has not been following industry best practices. There is simply no excuse for storing private information such as credit card numbers or users’ true names in the clear. According to the e-mailed FAQ, Linden Labs uses MD5 hash encryption for protecting payment information, however cracks for MD5 hashes are available on-line from several sources. For example, here, here, and here. Also see this article for a more technical explanation of the state of the art attacks on MD5. Wikipedia also has a good introduction to the issues surrounding MD5 here.

While the objective of the attackers probably was to obtain personal information and credit card numbers for the purposes of identity theft and credit card fraud, the breach also revealed SL users’ true names raising the spectre of more personal attacks and in world impersonations. It is less than clear where this information might end up. Participants in Gorean slavery or other unusual on-line sexual practices within Second Life, may not be too pleased to learn that their true identities might be revealed to spouses or employers. Second Life users may want to think twice before strapping on that genitalia next time.